Network Footprinting - Fingerprinting

While both footprinting and fingerprinting attempt to analyze a network for vulnerabilities; footprinting performs it in a more generalized manner, while fingerprinting examines specific aspects of the network.

In footprinting , the attacker may utilize “whois”, nslookup, traceroute, enumerators, pinging, social engineering, , or other tools to ascertain information about the network, such as: key personnel, topology, protocols used, IDS / IPS in use, IPs of machines on the network, ports, shares and services that are vulnerable , et cetera.

In fingerprinting, the attacker will direct specially crafted packets at the target, which will elicit a signature response from the device. This response will tell the attacker what OS, service, version et cetera, the node is using, as a result the attacker is able to fine-tune their assault.

These acts of remote fingerprinting can be either active or passive. When the fingerprinting is passive, the attacker is monitoring for traffic that is occurring between the device, and other nodes. When there is active fingerprinting, the attacker is sending uniquely constructed packets to the device, and monitors the response.

Fingerprinting can be mitigated against by using "scrubbers", which will "normalize" the packets, and remove the unique identifying traits that the attacker is seeking.

There are also “personality” strategies, such as the use of IP Personality, which will alter packets, and cause responses from the device to appear as if it was from a another device, with different characteristics. Additionally, firewalls may be deployed to block traffic with abnormal combinations of IPs, and ports.